syntax = "proto3";

package v2ray.core.transport.internet.tls;
option csharp_namespace = "V2Ray.Core.Transport.Internet.Tls";
option go_package = "github.com/v2fly/v2ray-core/v5/transport/internet/tls";
option java_package = "com.v2ray.core.transport.internet.tls";
option java_multiple_files = true;

import "common/protoext/extensions.proto";

message Certificate {
  // TLS certificate in x509 format.
  bytes Certificate = 1;

  // TLS key in x509 format.
  bytes Key = 2;

  enum Usage {
    ENCIPHERMENT = 0;
    AUTHORITY_VERIFY = 1;
    AUTHORITY_ISSUE = 2;
    AUTHORITY_VERIFY_CLIENT = 3;
  }

  Usage usage = 3;

  string certificate_file = 96001 [(v2ray.core.common.protoext.field_opt).convert_time_read_file_into = "Certificate"];
  string key_file = 96002 [(v2ray.core.common.protoext.field_opt).convert_time_read_file_into = "Key"];
}

message Config {
  option (v2ray.core.common.protoext.message_opt).type = "security";
  option (v2ray.core.common.protoext.message_opt).short_name = "tls";

  // Whether or not to allow self-signed certificates.
  bool allow_insecure = 1 [(v2ray.core.common.protoext.field_opt).forbidden = true];

  // List of certificates to be served on server.
  repeated Certificate certificate = 2;

  // Override server name.
  string server_name = 3;

  // Lists of string as ALPN values.
  repeated string next_protocol = 4;

  // Whether or not to enable session (ticket) resumption.
  bool enable_session_resumption = 5;

  // If true, root certificates on the system will not be loaded for
  // verification.
  bool disable_system_root = 6;

  /* @Document A pinned certificate chain sha256 hash.
     @Document If the server's hash does not match this value, the connection will be aborted.
     @Document This value replace allow_insecure.
     @Critical
  */
  repeated bytes pinned_peer_certificate_chain_sha256 = 7;

  // If true, the client is required to present a certificate.
  bool verify_client_certificate = 8;
}